The best VPNs for Linux in 2019 (and the worst)

Although many open-source VPN clients are available for Linux, a native app from the provider requires less configuration and comes with more features. Only VPNs that offer a native client for Linux, score highly in our 19-point security and privacy assessment, and are top performers in our daily independent speed tests make our list of the best VPNs for Linux.

Ubuntu, Fedora, OpenSUSE, Kali, and Mint users often get the short end of the stick when it comes to software, and VPN services are no different. Let’s be honest: Linux users are low on the priority list for most companies and developers. That’s why we set out to find the best VPN providers who have taken the time to give Linux fans some attention.

To connect to a VPN server on Linux, OpenVPN, OpenConnect, AnyConnect, and Network Manager are all popular VPN clients. But even better is a provider that makes a plug-and-play native VPN client. They require far less configuration and tend to come with more features and perks than their generic peers. That’s why every Linux VPN we recommend in this list offers a slick app just for you.

Best VPNs for Linux

ExpressVPN released its official Linux app in April 2016. It runs using a command-line interface rather than the desktop GUI available on Windows and Mac, but it’s still far easier than downloading and managing config files for each server. The server list is always kept up to date, and users can easily switch between UDP and TCP over the OpenVPN protocol. ExpressVPN costs a little more than some rivals, but it does offer a 30-day money back guarantee and clocked much faster speeds in our testing. ExpressVPN works on Ubuntu, Debian, Fedora, Kali, and CentOS.

ExpressVPN tops our list as it scores well in all key areas including privacy, speed and customer support. It is also the only VPN on this list that has consistently worked to unblock all content we have tested, including Netflix, Hulu, BBC iPlayer and HBO.

Update: ExpressVPN has made some notable improvements by allowing up to 3 simultaneous devices and introducing a kill switch.

BEST VPN FOR Linux:ExpressVPN is our Top Choice and a pleasure to use. Tested on Ubuntu, Debian, Fedora, Kali, and CentOS. It has a vast network of servers that is fine-tuned for high-speed connections. User-friendly apps for all operating systems. Tough to beat on privacy and security. There is a 30-day no-quibbles money-back guarantee so you can try it risk-free.

NordVPN just launched its dedicated Linux app in August 2018. The command-line app has no GUI (graphical user interface), but it’s still far easier to set up and use than manually configuring servers. The Linux app comes with most of the same great features you get on other operating systems, including an automated kill switch, ad blocker, and anti-malware filter. If you still prefer doing things the old-fashioned way, Nord boasts an extensive user base of tutorials including detailed Linux setup instructions for OpenVPN, IKEv2, and PPTP protocols.

Based in Panama, NordVPN allows up to six simultaneous connections, a zero-logs policy, and specialized servers for streaming, P2P, and added security. It can unblock geo-locked content on sites and apps like Netflix, Hulu, and BBC iPlayer. Over 4,500 servers are on offer in more than 60 countries. Every connection is protected with 256-bit encryption, and the IKEv2 protocol features perfect forward secrecy to ensure no one can decrypt past sessions even if they discover the encryption key.

Private Internet Access (PIA) is one of our best reviewed VPNs to date but does lose some points for not unblocking content such as Netflix and other geo-restricted content. It’s not pretty, but it’s remarkably affordable, lets you connect five simultaneous devices, offers acceptable (if not great) speeds, and is as secure as they come. PIA is one of the most popular premium VPNs among Linux users, and deservedly so. OpenVPN encrypted with 256-bit AES is the default protocol, but this can be tweaked to your heart’s content. PIA will work on both Debian and Fedora distros, but Fedora and OpenSUSE users will find the process a bit more complicated.

ProtonVPN now makes a command-line app for Linux that lets you see the full list of servers and more easily manage connections. The tool is open-source so you’re free to inspect and modify the code as you please. It works on Ubuntu, Fedora, Archlinux/Manjaro, Kali, and Solus. All connections use the OpenVPN protocol, and you can quickly switch between servers.

Proton emphasizes privacy in all of its services, and its VPN is no different. You get top-notch security and a strict zero logs policy. ProtonVPN allows P2P filesharing and unblocks US Netflix.

Great Speeds:ProtonVPN is reliable. This is a fast and reliable VPN service that is suitable for streaming and torrenting, although it’s on the pricier side. 30-day money-back guarantee

AirVPN offers native Linux apps for Debian/Ubuntu and openSUSE/Fedora, including Kali Linux. These can be used through either the command line or a GUI. You won’t find more comprehensive security settings on a VPN client. AirVPN lets users activate a kill switch, connect using OpenVPN over SSH and SSL, and forward traffic through a number of alternative ports. Prices are mid-range.

Mullvad’s open-source Debian/Ubuntu client comes with an internet kill switch, DNS and IPv6 leak protection, and IPv6 routing. It keeps no logs–not even connection logs, so it’s airtight when it comes to security. It allows three simultaneous connections. Port forwarding is available for evading firewalls. The server selection is limited, but it’s quite affordable. Mullvad currently only offers a Debian/Ubuntu package.

VPNs that Linux users should avoid

Several tutorials out there will show you how to install OpenVPN. That’s great, because OpenVPN is probably the best VPN protocol on the market. However, OpenVPN is just a protocol and a client. It is not a VPN service in and of itself. You will still require a server or servers to connect to, and this is where many people run into privacy issues.

All of the above paid services we’ve listed above have zero-log policies, meaning they don’t monitor or record how you use the VPN. This means a hacker can’t breach the provider’s servers and find dirt on you, the company can’t sell your info to third parties, and law enforcement can’t coerce the company into giving up private info about customers.

With free VPNs, the reality is often very different. A company isn’t going to waste money hosting and maintaining a VPN server without expecting something in return. That’s why it’s very important to read up on a company’s privacy and logging policies before you connect.

Furthermore, stay away from VPN services that only offer a PPTP connection. PPTP is fast and simple to set up, but it contains several security vulnerabilities.

itshidden

This free VPN service only uses PPTP connections, so it’s clearly not secure. The privacy policy is one sentence long and even that has typos in it. Granted, the one sentence claims the service doesn’t keep any traffic logs, but we’d hardly call that a policy.

SecurityKISS

Searching for a free VPN for Linux on Google might lead you to SecurityKISS. The company stores connection logs and IP addresses of users, a practice which privacy advocates frown upon. In the free version, your usage is capped at 300MB per day. In the paid version … well it doesn’t really matter because there are at least a half dozen better options.

USAIP

Another mediocre VPN service that somehow weaseled its way into search results, USAIP’s latest Linux client only uses PPTP. It also doesn’t provide its own DNS servers or default to Google’s, which means your ISP can still monitor your activity. On top of that, it doesn’t disclose its logging policy.

What makes a good Linux VPN?

Our list of the best VPNs for Linux is based on the following criteria:

A Linux app is available, so little or no manual configuration is required

Fast speeds

Strong security

No activity logs or IP address logs

Can unblock geo-locked websites, apps, and streaming services

Short for Virtual Private Network, a VPN encrypts all of a device’s internet traffic and routes it through an intermediary server in a location of the user’s choosing. This has a myriad of benefits ranging from improved online privacy, better security when connected to public wi-fi, and the ability to unblock geo-locked sites, apps, and services.

Securing Linux

A VPN is a great step toward securing your Linux system, but you’ll need more than that for full protection. Like all operating systems, Linux has its vulnerabilities and hackers who want to exploit them. Here are a few more tools we recommend for Linux users:

Antivirus software

Anti-rootkit software

Tripwire

Firewall

Security-focused browser extensions

You can learn about all of these tools, which ones to use, and how to install them in our Linux Security Guide. There you’ll also find tons of other tips and advice for securing Linux.

Why should I use a VPN for Linux?

A VPN has multiple uses and can be applied in a number of different scenarios.

Privacy

At its core, a VPN is a tool designed for privacy. If you’re worried about someone monitoring what you do online, such as an internet service provider, hacker, or government agency, a VPN can help. A VPN achieves privacy in two key ways.

First, all of the data you send and receive over the internet is encrypted before it even leaves your device. So long as the encryption is strong–128-bit and 256-bit AES are both sufficient and common with modern VPNs–no one will be able to crack it. If, for example, your ISP wanted to record your browsing history, it would instead only see indecipherable text.

Second, using the same example, the ISP cannot see where a VPN user’s internet traffic is going to or coming from. It can only see that data is travelling between your computer and the VPN server. It cannot see the destination of your internet traffic and can therefore not monitor what websites, apps, and services you use. Websites that you visit won’t be able to track you so easily, as your IP address is hidden behind that of the VPN server, and IP addresses play a huge role in how advertising companies and other data gathering entities create user profiles.

An important distinction to make here is the difference between VPN logging policies. All of the VPN providers we recommend in our list of the best VPNs for Linux do not keep traffic logs, meaning they do not monitor your activity while connected to the VPN. Many other VPNs log your activity in different ways and should generally be avoided; being tracked by your VPN is hardly better than not having a VPN at all.

Security

Security and privacy often go hand in hand. A VPN can help secure your device by protecting it from online threats. Public wifi, for example, is a minefield for unprotected devices. Hackers can hijack unsecured wifi routers or create their own fake hotspots and wreak all sorts of havoc on any device that connects to them. An attacker could steal or modify any data sent over an unsecured network.

Even when you’re not on public wifi, a VPN can protect your device from several threats. By masking your IP address–a common a VPN removes a common attack vector used by hackers to target a specific person. Many VPNs also come with built-in malware filtering.

Unblocking geo-locked content

Many websites, apps, and online services are restricted to residents of certain countries or regions. A popular use case for VPNs is unblocking geographically restricted, or “geo-locked,” content. This includes streaming video sites like Netflix, Hulu, BBC iPlayer, and Amazon Prime Video. It also applies to online banking and shopping sites by “spoofing” your location. The website in question only sees the location of the VPN server you chose to connect to and not your real location. You can even avoid blackout restrictions on live streaming sporting events.

Bear in mind that many streaming video providers are adverse to VPN use because of content licensing agreements that force them to only offer content within certain countries. As such, they often block connections from known VPN servers. A handful of VPNs can bypass these restrictions; just use the search bar on this site to find a list of the best VPNs for your favorite streaming site, be it Netflix, Hulu, or something else. From the list above, ExpressVPN is the most capable unblocker.

Bypassing censorship

Censorship stinks, whether you’re in an authoritarian country like China or an office building with an overzealous firewall. By routing your internet traffic around the firewall through a VPN server, you can evade such restrictions and freely access the open internet. In all but a very small fraction of countries, using a VPN is perfectly legal.

Be warned, however, that some countries block known VPN servers, so not all providers can bypass censorship measures. Be sure to check with the individual provider and ask if it can unblock censored sites from your country.

Torrenting

ISPs often frown upon torrenting, whether you’re downloading legally or illegally. An ISP might penalize your account by restricting bandwidth, for example. Furthermore, the BitTorrent network is rife with copyright trolls looking to make a quick buck by collecting IP addresses of downloaders and sending them threatening settlement letters through their ISP.

A VPN is an essential tool for torrenting. When connected to a VPN, your ISP cannot distinguish between different types of traffic, torrenting or otherwise. And because your IP address is masked by the VPN server’s IP address, copyright trolls cannot track you down. Just make sure to choose a VPN provider that doesn’t log your real IP address. You can cross reference the list above with our list of the best VPNs for torrenting to find the best fit for you.

A note on OpenVPN

Even if a VPN provider doesn’t make a dedicated native client for your Linux distro, almost all of them will provide configuration files that work with OpenVPN. All you need to do is download a config file for each server you want to connect to. This can get tedious if you like to have a lot of options, but it’s perfectly feasible.

OpenVPN is great, but the generic client isn’t as packed with features like DNS leak prevention and internet kill switches. Again, you can find scripts and packages that will take care of these for you, but we prefer the convenience of clients with all this stuff built in.

How to install and connect to OpenVPN on Linux

Here we’ll show you how to install the OpenVPN client on Ubuntu. Other distros, such as Mint and CentOS, should work similarly, but the commands might vary slightly.

Open a terminal

Type sudo apt-get install -y openvpn and hit Enter

Type your admin password and hit Enter

Type y and hit Enter to accept all dependencies and complete the installation.

Note that on newer version of Ubuntu, you may need to swap out the “apt-get” part of the commands with “yum”.

Once OpenVPN is installed, you need config files. Usually you can download .ovpn config files from your VPN provider’s website. Each config file is associated with a particular server and location so grab a few of them for each location you want to connect to. Make sure to have backups in case a server goes down.

To connect via command line, which should work across most distros:

With OpenVPN installed, type sudo openvpn –config in the terminal and hit Enter

Drag and drop the .ovpn config file for the server you want to connect to into the terminal. The correct path will be automatically captured.

Hit Enter and wait for the “Initialization Sequence Completed” message. You are now connected to the VPN. You can minimize the terminal window, but closing it will disconnect you from the VPN.

This is just one way to connect. You can also try the Ubuntu Network Manager or the OpenVPN GUI. These may require CA certificates and/or private keys from your VPN, so make sure those are available from the provider’s website.

How to make a VPN kill switch in Linux

In the event that the VPN connection unexpectedly drops, the computer will continue to send and receive traffic sent over your ISP’s unprotected network, possibly without you even noticing. To prevent this behavior, you can make yourself a simple kill switch that halts all internet traffic until the VPN connection is restored. We’ll show you how to write some easy rules using iptables and the Ubuntu Ultimate Firewall (UFW) application.

First, create a startvpn.sh script that puts firewall rules in place. These firewall rules only allow traffic over the VPN’s tun0 network interface, and they only allow traffic over that interface to go to your VPN’s server.

$ cat startvpn.sh
sudo ufw default deny outgoing
sudo ufw default deny incoming
sudo ufw allow out on tun0 from any to any
sudo ufw allow out from any to 54.186.178.243 # <-- note this is the IP from the "remote" field of your configuration file
sudo ufw enable
sudo ufw status
sudo openvpn client.conf &

Network traffic cannot pass over any other network interface with these firewall rules in place. When your VPN drops, it removes the tun0 interface from your system so there is no allowed interface left for traffic to pass, and the internet connection dies.

When the VPN session ends, we need to remove the rules to allow normal network traffic over our actual network interfaces. The simplest method is to disable UFW altogether. If you have existing UFW rules running normally, then you’ll want to craft a more elegant tear down script instead. This one removes the firewall rules and then kills openvpn with a script called stopvpn.sh

If you use some other means to connect to your VPN, you can eliminate the last two lines of each script. In such a configuration, you will have to remember to manually run the startvpn.sh script prior to starting your VPN using some other method. Once your VPN session ends, remembering to run the stopvpn.sh script isn’t hard; you’ll probably notice the lack of internet connectivity until you run it.

Which Linux distro is best for privacy?

If you’re concerned about privacy, switching from MacOS or Windows to any open-source Linux distro is already a step in the right direction. Apple and Microsoft both collect personal data from users on their respective operating systems. Both companies are known to cooperate with law enforcement and intelligence agencies like the NSA. Microsoft uses customers’ data to sell ads. Both OSes are closed source, meaning the public cannot peak at the source code to see where vulnerabilities or backdoors lie.

Linux, on the other hand, is open source and frequently audited by the security community. While Ubuntu once flirted with Amazon to monetize users, it and other distros are generally not out to make a buck by selling your data to third parties.

Not all Linux distros are created equally, however, and some are more secure than others. If you’re looking for a distro that functions as a day-to-day desktop replacement but is also built with privacy and security in mind, we recommend Ubuntu Privacy Remix. UPR is a Debian-based Ubuntu build that stores all user data on encrypted removable media, such as an external hard drive. The “non-manipulatable” OS is supposedly immune to malware infection.

You’ll still need a VPN to encrypt your internet connection. Most of the apps from the VPN providers above should work fine on UPR.

If UPR isn’t enough and you want to use your computer with complete anonymity, we recommend TAILS. Short for The Amnesiac Incognito Live System, TAILS is a Linux distro built by the same people who created the Tor network. TAILS is a live OS designed to be installed on and run from a USB drive or CD. It’s a hardened version of Linux that routes all internet traffic through the Tor network. It leaves no trace of ever being used after removing it from the device.

Making your own VPN

If you don’t trust commercial VPN providers or you just prefer a DIY solution, you could always roll your own VPN. You’ll need to set up your own server. Common options are virtual private cloud services like Amazon Web Services and Digital Ocean. A variety of tools at your disposal that will assist you in getting a homegrown VPN up and running:

OpenVPN

Streisand

Algo

SoftEther VPN

StrongSwan

Each has its own pros and cons in terms of protocol, security, features, and ease of use. We’ve got a great tutorial on how to set up OpenVPN with a Linux client and Amazon EC2 Linux instance.

But even though rolling your VPN gives you full control over almost every aspect of how the VPN operates, there are some drawbacks. First, it’s much more difficult than using pre-existing servers and pre-configured apps. Secondly, if you’re using a cloud service like AWS or Digital Ocean, your data still passes through the hands of a third party. Third, you only get a single server and location to connect to.

Finally, and perhaps most importantly, rolling your own VPN likely means that only you and perhaps a handful of acquaintances will be using it. That makes it much easier to trace activity back to a specific person. The best VPNs for Linux that we recommend, on the other hand, typically assign users shared IP addresses. Dozens and even hundreds of users can be pooled together under a single IP, effectively anonymizing traffic as it leaves the VPN server.

At this point in time, PIA’s so-called “plug and play native client” does not work on Ubuntu 17.04. And their support is TERRIBLE. It took them three weeks to respond to my last service problem. Three weeks even to acknowledge that I’d contacted them.

Drag the config file into the terminal window BEFORE pressing enter.If you press enter BEFORE dragging the config file to the window, as suggested, you’ll get an error from the partially completed command.

Thanks for the list. From my experience PIA does not work with Linux Mint. I have tried it and gone back and forth with support for weeks and gave up. I am now looking for another client that actually supports Linux.